MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873
SHA3-384 hash: cf0dc41664990947222b052108fdf289434ad0e5b4415888848d789596795da476cff057a83e9872d05f8aec8219bc88
SHA1 hash: 200974b763a6cb5e9041b63152f77cc4e00d0822
MD5 hash: 15c52bca7cbd708746d86e2026884e13
humanhash: lemon-carbon-kilo-lima
File name:15c52bca7cbd708746d86e2026884e13.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:819'200 bytes
First seen:2023-06-17 07:30:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:8MrOy90AgD0V4Hvf42HOnfiRC1wBa1IzhXvPbu12ywAxFyb4:qye02PfXHdRC1G6IzhnMQE
Threatray 2'694 similar samples on MalwareBazaar
TLSH T1A50512136AD88232C87213705CF716871E32BC908DB5536A2784EFA95DB2BD875B2B17
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.212:26540

Intelligence

File Origin
# of uploads :
1
# of downloads :
475
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
15c52bca7cbd708746d86e2026884e13.exe
Verdict:
Malicious activity
Analysis date:
2023-06-17 07:33:22 UTC
Tags:
rat redline amadey trojan loader
Link:
https://app.any.run/tasks/b207596f-422d-4dfb-b5a0-e711f3485ce4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399745/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching a service
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91109/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll amadey anti-vm CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll zusy
Link:
https://www.filescan.io/uploads/648d61362550d676edfbff8b/reports/db0c52b3-97af-47f5-b33a-e4e61409fcbd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5db2b9b-78f4-4191-8d50-eeb01e1ac598
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256419
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889435 Sample: 5VbgUxsHjd.exe Startdate: 17/06/2023 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 13 other signatures 2->79 10 5VbgUxsHjd.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 2 other processes 2->17 process3 file4 49 C:\Users\user\AppData\Local\...\z6552262.exe, PE32 10->49 dropped 51 C:\Users\user\AppData\Local\...\t0137123.exe, PE32 10->51 dropped 19 z6552262.exe 1 4 10->19         started        process5 file6 41 C:\Users\user\AppData\Local\...\z1519049.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\Local\...\s6582552.exe, PE32 19->43 dropped 81 Antivirus detection for dropped file 19->81 83 Multi AV Scanner detection for dropped file 19->83 85 Machine Learning detection for dropped file 19->85 23 z1519049.exe 1 4 19->23         started        signatures7 process8 file9 45 C:\Users\user\AppData\Local\...\z6371625.exe, PE32 23->45 dropped 47 C:\Users\user\AppData\Local\...\r9745767.exe, PE32 23->47 dropped 87 Antivirus detection for dropped file 23->87 89 Multi AV Scanner detection for dropped file 23->89 91 Machine Learning detection for dropped file 23->91 27 z6371625.exe 1 4 23->27         started        signatures10 process11 file12 53 C:\Users\user\AppData\Local\...\p0780280.exe, PE32 27->53 dropped 55 C:\Users\user\AppData\Local\...\o8728166.exe, PE32 27->55 dropped 93 Antivirus detection for dropped file 27->93 95 Multi AV Scanner detection for dropped file 27->95 97 Machine Learning detection for dropped file 27->97 31 o8728166.exe 5 27->31         started        35 p0780280.exe 9 1 27->35         started        signatures13 process14 dnsIp15 57 83.97.73.130, 19061, 49682 UNACS-AS-BG8000BurgasBG Germany 31->57 59 Antivirus detection for dropped file 31->59 61 Multi AV Scanner detection for dropped file 31->61 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->63 71 2 other signatures 31->71 37 conhost.exe 31->37         started        65 Machine Learning detection for dropped file 35->65 67 Disable Windows Defender notifications (registry) 35->67 69 Disable Windows Defender real time protection (registry) 35->69 39 conhost.exe 35->39         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-17 06:26:59 UTC
File Type:
PE (Exe)
Extracted files:
152
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=swcdca26363wfbs6atl3o54wikmqkyv6ib5deona2bltp7npjbzq._file
Verdict:
malicious
Similar samples:
0aba977bc3c3ebf7573ea899df6d90dd9f1bf6d84421942e839255cc623d3f39
RedLineStealer
2ea48de0cb2566d92d84d31e518ca7e3da48d1ffcc8268a4222e8f7b3a99dddc
RedLineStealer
55cd35e3d1b71771cb7298584af77597588373c777a948bc308070d74fd5243e
RedLineStealer
5b03983f7a89fa845b2a940a06455848c42f84f88234052051b2a9e9ed1f7a33
RedLineStealer
7b12249bd4288cf34ca6dc5a0c100d2082da6c215296af919e3cd68504249132
RedLineStealer
9faca33e220f9b75c3d7df6f750927ceb738d5ae349b41d22f1a30f15954d9b6
RedLineStealer
c042a2264faa2bf81b7b057d280ab14c2027b8da71cf521d4e9bd2e8e08f3e8c
RedLineStealer
d03161003bf1cb65324c3d57ae3d96ecdfbe844e12d237b9cdb2a00f67c714ea
RedLineStealer
e2e7be5a1fa9c7c57e26e168cb7060a4188bafe19af2927ae756972ff2e5c4f2
RedLineStealer
ee795797a97c639a09c43d77a711f46e8d3f571ea8f1fb9f16201926950bcc7c
RedLineStealer
+ 2'684 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:grega botnet:ledo discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230617-jcc9dsah49/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
83.97.73.130:19061
95.214.27.98/cronus/index.php
Unpacked files
SH256 hash:
1b4414fc7c275b728ea1dad4336f9062c7988852aff1a0751a997e1bfa606ca8
MD5 hash:
6fb26ec00581bf814eb1257d39b33168
SHA1 hash:
8fb5b94dc0539cacdc2957c3e20ba62679357a62
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
SH256 hash:
8b1623c6714a5661fb7e7296783591d586149605472c7a1d6167c153cdf52f7f
MD5 hash:
82725e5abb4d5b46419fc823f24dad89
SHA1 hash:
4916d82e3410d01fc00e32dff5f65f1aadbd97e2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
Parent samples :
d52b08e0ba8f58e42fedb287ffe8ec653f7035fc5d9da5e130bb911e09a0d2e6
c9ec54189e36ee057b3c134c6118d18046e0b808d352d68ddee33ff58e0d047f
2ccd357e94ebb0dbc6b4dc7d77247c08474593d983b5c9cfd191a2f8c105bc80
844ec6982cd490e5fd08a9ecc4be54a3c8f5b43b76e0475b733573cb31dd9dfa
defc8629ec568833c618b6fe81ac45ff7908bb553b2811850a2e7f2e60b446b8
2238986fb7a16be5dad3f0c3f8d8cac880588e5e84127fc83228ffc6d7814eef
61e82301d812c2d2710dcd4900890e6c291e0e7dfcbe60762ef199e726b44212
bac87051ee827b2e05115e579ba03c1e234618b1dcaa99304c0ec6a296d1a7e6
14ad0b220fec046cad2a8e8dff2d89f107566da3f68c011c225fa6bab29c52ad
958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873
6366eb832db7377d14b1065e56360344c77d4233d896ffc56538f2c3c563014d
989bf8e0d175239e3bbcaf55a5fd9608b02f231e7173d5c521f45ba2fb93a377
SH256 hash:
d1c845e4d824be1f24ee06890f79a55b07e34ec2a2ed5d203a6002608aec6468
MD5 hash:
a2b3c2721fff7bc8f441a5a92bd27fbd
SHA1 hash:
8216f4d82c44487efe3370d57802204de8c1d654
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
SH256 hash:
4ace56997b91cf6d789500c40b9bf7be96eaf51c1f964163f2b0cec68a16640b
MD5 hash:
9c4119d83697656c79976de6179df150
SHA1 hash:
f953ea461d64deec41c389b321a3e2cf86a33f39
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
SH256 hash:
d704b28bf8a85881aa5d83d1714014e25993894c5ddb61ca747bbebd4721bf8d
MD5 hash:
1f5842c7f57e51f5cb23189652016635
SHA1 hash:
05f8d3a6d6c6fa5f22a82effe70004e52e35c9bc
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
SH256 hash:
958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873
MD5 hash:
15c52bca7cbd708746d86e2026884e13
SHA1 hash:
200974b763a6cb5e9041b63152f77cc4e00d0822
Link:
https://www.unpac.me/results/79667468-2100-4e33-a22e-b1a28bca97c2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/958431035edf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 958431035edfb762865e04d7b7779642990562be407a3239a0d05737fdaf4873

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2631490/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/399745/

Comments